Distributed denial of service (DDoS) attacks present security and availability issues for many organizations, and in particular, for enterprises engaged in content delivery services. In a DDOS attack, many distributed hosts flood a target system with traffic, such as HTTP requests directed at a web server under attack. The flood of traffic overloads the server so that the system under attack cannot respond to legitimate traffic in an effective manner. Such attacks, and the resultant unavailability, can produce several adverse consequences for the operator of the server, including loss of reputation, potential loss of business or revenue, and substantial bandwidth costs.
A conventional technique for responding to DDoS attacks is to use customer-triggered real-time black holes, otherwise known as remote triggered destination internet protocol (IP) address black hole filtering (RTDBHF). Black hole filtering (BHF) results in packets being forwarded to a router's bit bucket (e.g. Null 0/discard interface/null interface). Traditionally, RTDBHF works solely based on the destination address of the traffic by exploiting the forwarding logic of routers. All traffic to the attacked DNS or IP address is sent to the null interface. RTDBHF allows destination IP address black holes to be triggered remotely, by customers, or an internet service provider. A user can remotely trigger a destination address network-wide black hole filtering response using border gateway protocol (BGP) and static routes pointing to the null interface. Thus, although RTDBHF discards attack traffic directed towards the destination and mitigates collateral damage to other systems and network availability, the targeted system is taken completely offline as both legitimate traffic and attack traffic to the destination address are discarded.
Destination IP address enhanced BGP-triggered black holing techniques, also known as remote triggered destination enhanced black hole filtering (RTDEBHF) have been developed that address this concern. RTDEBHF techniques uniquely identify autonomous system (AS) border routers that could direct attack traffic to the targeted system. BGP community values are also assigned to identify sets of the border routers. By using a customized internal BGP (iBGP) advertisement containing the address of the targeted network and BHP community value, only the next hops of the selected routers are changed to the null interface, and the original next hop addresses to the targeted network on all other routers are preserved. Thus, traffic is filtered only from the routers identified as routers that could direct attack traffic and having specific route map matches for the BGP community value, while all other traffic will get forwarded to the targeted network.
An alternative conventional technique for handling DDoS attacks is to use remote triggered black hole filtering with Unicast Reverse Path Forwarding (uRPF), also known as remote triggered IP address source black hole filtering (RTSBHF). RTSBHF is a technique that allows black hole filtering based on the source address of the network traffic. uRPF techniques are combined with remotely triggered black hole filtering so that BGP can be used to distribute discard routes directed to the null interface, based on the source address of the attack traffic. This results in all traffic to and from a source address to be dropped.
Up until now combining RTDBHF with RTSBHF has not been considered feasible. Thus, there is a need for more robust solutions to provide the combined benefits of RTDBHF and RTSBHF.